For now that is. Right now, malware writers are going for low hanging fruit, who don't even know what a VM was, or if they ran one on their desktop, would complain about performance (not knowing the VM disk images belong on a SSD, or at least their own spindles to not contend with the host desktop OS [1].
Once VMs gain traction (say someone combines dedupe with COW and applications wind up with their instance of an OS with just the footprint of the application so VMs become as common as applications with their own separate stack/heap are now), it will be a different story. We will start seeing attacks on hypervisors start being attempted [2], but since hypervisors have historically been built from the ground up for security, this will help mitigate things. Of course, as stated elsewhere, the bad guys can always have their code pull chaff such as a fake malware instance to lead researchers on rabbit trails.
[1]: Desktop OS. This isn't as big an issue with ESXi, especially with compute nods and big fat disk caches on the HBAs or CNAs.
[2]: Mixed bag. I'd like to see hypervisors get hardened, but if there is some sort of attack at the CPU level, that means malware in one VM has it made on the entire machine... and there would be no way to ever address that short of tossing the CPU or entire machine.
This may be our saving grace, something as simple as doing one's work in VMs, using the bare metal OS pretty much as a hypervisor and method to back up the VM images. With SSDs, this makes the job easier (because booting an OS isn't that I/O intensive, but you have multiple instances fighting for the drive head on conventional HDDs, which causes I/O slowdowns across the board.)
VMs are one of the few tools that can fight ransomware effectively. If the software doesn't play and deletes itself, no major loss. When hypervisors start getting "smarter" and are able to use heuristics to detect zero day infections that are hidden to the OS in a VM, this will raise the barrier significantly. Of course, the ability to roll back to a known, good snapshot in seconds completely negates ransomware's ability to destroy stuff, forcing the software to have to be inactive for a long period of time to hide its functioning.
I'm reading this as basically creating a tar file of the machine and documents, throwing it to a remote machine's incoming directory, and that incoming machine moving the file to somewhere inaccessible to the client?
This is a way to do it, but might be better to just have the NAS or other appliance initiate the pull so the data can be better stored in snapshots.
Now that's the rub. All it takes is for the trail to hit a country that is overtly hostile to the US, or just not willing to cooperate, and the trail goes cold. For example, if the perp who made malware tools was situated in Yemen, Brazil, or Venezuela, the local government would be giving the person accolades for doing such a thing.
As for Bitcoins, they are definitely traceable. However, efforts like tumblers and CoinJoin may be new and holes found, but they are getting better, and if combined with an exchanges that would trade BTC for another currency, that would leave the trail cold. If worse comes to worst, there will be someone who makes a BitCoin 2.0 that has anonymity built in.
US law enforcement can't really fix this problem, just because it is almost invariable that any investigation will lead outside of the country's borders, forcing any police work to become an international effort, and other countries tend to really not care if a foreign citizen gets taken for a ride, as opposed to investigating domestic issues.
This is a problem that has to be fixed by technical means. Legal means will not really work here.
Take SSL/TLS. Are they going to demand both parties stash the session key, or do their handshaking through a proxy logging each packet? The first time some intruders nail that data store and find out a bunch of banking passwords, the cost of that breach will be incredible. If they alter the SSL/TLS algorithm, will it bring unexpected changes that destroy the algorithm's security, or the code used not implement the changes in a secure fashion?
As for outlawing it, it -could- be done, but it would require far-reaching internal and external controls, with very sophisticated algorithms to detect unauthorized encryption, and pull that machine from the net. However, this is a cat and mouse game... and ultimately, the bad guys are just going to do like Daesh, and AQ before them... and go back to couriers, dead drops, and burner phones. Yes, it doesn't give as fast results as the Net, but it is a lot tougher to intercept. So, it an be done... but it is doubtful that even the British people would tolerate this much interference in their lives.
Unfortunately, as it stands right now, even with rapid growth, ransomware is approaching its infancy. I'm not going to be surprised when the next CryptoWall releases go after Active Directory and enterprise-level resources, as opposed to local items and the network share or two.
Three reasons why this is:
1: There are no SOHO backup systems to defend against it. If you can get the user to not restore in 30 days with most cloud backups, their data is gone... and some cloud backups may just only keep the latest (useless) version. Plugging in a USB flash drive, backup drive, using a NAS, or using a Time Capsule works against disasters like HDD failure or accidental microwaving of a laptop... but all ransomware has to do is zero out the backup drive... or just punch random holes in stored files so they are worthless. A lot of newer machines don't have optical drives, much less decent backup software to get the user to back up to them.
If you want a real defense against ransomware, it takes an external backup server which pulls data, stores it where the client machine cannot access or destroy it, and can store images for weeks to possibly years (because as ransomware evolved [1], it will be running longer before it gets detected.) However, not many home users will buy a PC with some drives, slap Windows Server 2012 R2 Essentials on it (which replaces Windows Home Server), and use that to pull backups from their desktops. There are appliances that do this... if you want to pay $50,000 to Symantec for a NetBackup appliance, and have the rack space for it.
What is really needed is a standard, cross platform backup client that not just allows for files, but snapshots (so open files can be copied) and entire machines, so bare metal restores are easy to accomplish, be it a restore to a local drive, or via the network. For authentication, something similar to SSH. This way, a user can buy an appliance, log onto the console, set up backups (perhaps RSA key exchanges), set up schedules, and call it done. More features (encryption, deduplication) can be added... but the main thing is getting backups going in the first place.
2: The infection vectors are still there. For example, a malware writer might write code to take advantage of a compromise/buggy browser add-on, it goes through an ad server, and winds up nailing people visiting even mainstream sites.
Even ten years later, the Web browser is still the primary infection vector. Even with virtual machine and container technology, if an add-on gets nailed, there is a good chance it can seize the entire browser, and thus a user context. Even with just the context of a browser add-on, it likely can read and write to any documents the user has access to. Add a few more exploits, it can run unfettered as a user, or even get admin/root rights so it can reflash the firmware on drives, video cards, keyboards, and other items.
This can be limited by running the browser in a VM or sandbox, but most users won't be doing this, so it is only a matter of time before the next add-on has 0-days, and just visiting a site results in compromise.
3: Not as bad as drive-by compromises, but Trojans are still an issue. On Linux, BSD, and OS X, this is less of an item, since users are conditioned to use a repository. Windows still is wild and wooly when it comes to this, and even if one does visit the right download site, it might be a mirror decided to pack some additional "functionality" into the installer, and re-sign that with their own Authenticode key, so it passes the signature check test.
The possible fix? MS having a store that allows for more than just Metro applications to be installed and updated, preferably with active, brutal curation. That way, if a user wants a copy of WinZip, they just fetch it from the store, rather than risk a compromised website, mirror, CDN, or app installer.
Ransomware is going to be with us a long time, just because it does well at going after the low hanging fruit, and with what is available (domain admin rights, for example), just encrypting files is just the initial salvo in this battle.
[1]: It pretty much a fact that malware, as a whole, is the absolutely best code when it terms of quality, robustness, and updates.
With how many robots are in use, it was just a matter of time before some freak accident would happen. Even if one set of chances are one in a million that something would be overridden at the right time, coupled with the one in a million chance of being in the wrong place, eventually someone is going to roll all "1s".
This is what insurance is for.
Were it not a robot, this would be dismissed as another accident at work, the worker (or next of kin) recompensed, and life would move on.
What I don't get is why FB doesn't just use tape. Tape drives are expensive, but the media itself is cheap -- LTO-4 cartridges are $15 apiece, and tape is a true archival grade media.
Plus, with tape, you copy it to that, yank the tapes out of the autochanger, and toss them in an unused corner of a room. Tapes take 0 watts in storage (other than what it takes for HVAC), so other than physical access concerns, they are easily stashed and will remain usable for quite a long time.
If any industry needs a kick in the pants with regards to capacity improvements, it is the tape media industry. A tape has far more area to put data on than a HDD platter, so there is a lot of room to add capacity, as well as reduce price with cartridges and drives, especially if mass produced so economies of scale kick in. Back in the 1990s, almost any business had some form of tape drive, which worked fairly decently for backups (although 4mm/8mm drives are nowhere near as reliable as a LTO drive.)
No, tape isn't trendy... but it functions well, and with WORM media or hardware write protection, it is resistant to malware. With hardware encryption in newer revs (LTO-4 and newer), it is trivial to just set a password and call it done when it comes to that security... that way, if a tape falls off the Iron Maiden truck, it is just a hardware loss... no worry about compromised data.
I've found that EQ1 is still pretty good... but you have two choices:
Play on a timelocked server, where there is relatively not that much content... but it winds up grindy.
Play on a regular server and get your levels and AAs so you can group/raid.
Timelocked servers have nostalgia value... but it might be too slow and quirky for someone new, and one can wind up hitting a dead-end (can't really solo, no groups), especially when the newness wears off.
There are also plenty of other MMOs still around. DAoC is still twitching, DDO, Neverwinter, and LOTRO are still going. Rift is still an alternate to WoW (except minus the mini-game of garrisons [1])
IMHO, what kills MMOs for me are the cash shops. Daybreak does it right -- you can buy gewgaws, pets, mounts, and bags... but other than XP potions, there isn't anything that can affect game play. Rift, on the other hand, I wound up pulling my sub for good (I used to subscribe yearly) because people just hit the shop, and buy a set of raid-tier armor. Rift was great in customization, but the fact that you can toss cash and wind up with all the endgame stuff has put the game into the same category as the junk (IMHO) F2P/P2W "MMOs" found on Android and iOS.
[1]: Oddly enough, the garrison mini-game is one of the nice things about WoW. Cycle missions on alts in the morning, cycle missions later on, and they wind up at a point where they can still run the circus of LFRs, if not normals.
It might be that using Blu-Ray autochangers may be a very useful thing to have, especially for something that can fill the gap between HDDs and LTO tapes for backups [1].
The pathetic thing is that this technology isn't new. We used to have 100, 200, even 400 disk CD and DVD carousels. By replacing the CD reader with a burner, and using 128 GB BDXL media, that means tens of terabytes of tamper-resistant (important with all the ransomware out there) WORM storage.
The trick is getting BD media into the terabytes and getting it at a price point where it is decently affordable. For example, a 100 GB BDXL disk is $65, but it should be about 10% of that price in order to be a viable backup medium.
[1]: The cloud isn't an option in a number of cases (WAN bandwidth isn't cheap), and it is only a matter of time before a major provider gets hacked.
Thank you for the answer on private WANs or government extranet firewalls. If used properly, even a private IP MPLS shared between a few businesses would add a layer of security. However, if not used correctly, it provides little to no protection. Just one machine with IP forwarding turned on can negate the protection.
It might just be that the core of security against hacks will continue being the core/edge network fabric, because it is a lot harder to secure individual devices than it is to lock down network appliances. The fundamental "heavy armor" just at the firewall will fundamentally change to a fabric that assumes an attack can come from any network segment... well, pretty much any network segment but the management network. The management network will be ever more prized for a target of attack, since that is where the SAN controllers live, and dumping logical disks and destroying data may become part of a security breach as hacker groups with the will, but not the way (extremist groups) make deals with groups with the means (the 0-days), but not the interest to wreak havoc.
Or, it might be that we return to a mainframe and glass-house IT architecture for security reasons. Even though the IRS had a breach, it wasn't their systems specifically that allowed it, but was an unauthorized query through an authorized source. The equivalent of someone seeing a key in the car's ignition and driving off, even though the ignition key has a state of the art transponder system. The IRS is still running on a mainframe architecture, and this seems to have provided a decent amount of security because all the data is in one place, and unless an authorized query takes place that shouldn't, it is pretty well secured.
Long term, I can see businesses moving to a system where all data is physically stored in one (or perhaps two locations using async replication), the data manipulation is all done by a server in the glass room, and access to the data is done by the next generation of JavaStations/X terminals/VT100s, which provide a monitor and HIDs, and that's it. I would not be surprised to see this happen, as it is the other end of the pendulum, as we swing away from cloud computing as the buzzword choice. It has been a while since thin clients have been touted at the Next Best Thing (tm), so I will be genuinely surprised if I don't see a return to having Citrix, RDP or some other remote desktop access done for a work desktop. Even though it isn't a fad, VDI has been gaining steam, so it wouldn't be surprising to wind up with physical terminals on the desktop, access going to the HP MoonShot farm with 45 VDI blades, and from there, RDP or App-V sessions going to where the data is.
Some IoT devices will wind up with their own cellular antenna. This will wind up being used as a nice entry point for attackers who will be able to jump through the device to a private network, or just use it for distributed Dogecoin mining.
TFA was "meh" at best, but why not design a secure architecture where the $50 device communicates to some type of secure hub (or hubs if one wants redundancy), and the hub is what communicates on the Internet. This way, only one device has to be hardened against attack via the Net. Yes, it doesn't stop attacks done at the LAN level... but any security is better than none, and it would help lock out all intruders except those close by in physical proximity.
This can be done a number of ways, by the central hub being a Wi-Fi AP, or just part of a BT PAN pairing.
To boot, if devices need to communicate with a remote site, there are many ways to communicate via secured link.
A hub topology is the proper way to do IoT. Letting every device go out via 3G or whatnot is only asking for compromise.
Realistically, if the device is "smart", it should just get passed up. If we don't pass up on these devices, we will be seeing fridges demands one sit through a 30 second ad before it unlocks the door, or the oven to allowing Slurm brand turkeys to be baked in it.
True. Right now, -anything- is better than what we have now, as it is hard to fall off the floor.
The only real way I see security improving is if insurance companies start mandating some security guidelines. May not be PCI-DSS3 strict, but with some semblance of auditing and accountability. Businesses have basic guidelines for physical asset protection (alarm on building, sprinklers, locks on the door, deposit safe), and if insurance demands they have computer and network protection, it would be one of the few ways we might see security happen.
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
The local big box store has a receptacle for toner cartridges. Hit Best Buy, chuck them in there, call it done, the end.
I had a lot of toner cartridges as well, but no use in keeping them. They are not going to appreciate in value, and as time goes on, that toner cartridge format will be used by fewer printers, so might as well dispose of them properly (and properly isn't the trash can.)
Here in Texas, if the logo on the painted sheet metal matches the logo on the breaker, that would be 100% up to code. An interlock like that is the cheapest way to feed a house from a generator safely.
They can easily change the agreement by updating the TOS and have a statement in said link that continued use of the site constitutes acceptance of the new terms. For a bankrupt company, that would be enough legal CYA to prevent any judge from ever piercing the corporate veil.
Even now, a Prius with an inverter on the traction battery bank can provide a decent amount of power. With a MEPS alternator, you can get 5kw+ from a truck or van, so even though it isn't electric the vehicle can double as a generator (and with the emissions controls on vehicles, that is a lot better for the environment.)
We are lurching slowly towards that, especially with motorhomes. For example, Roadtrek announced last week the addition of 200-1200 ampere-hour battery packs that charge from the engine. I worked on designing a Transit van conversion that would use a "hybrid" inverter so if plugged into a house (or a small vacation cabin), it would run the electricial system from the van's aux battery bank, then once the batteries hit 60% SoC, fire up a generator.
I wouldn't be surprised to see this technology filter into cars, be it plugging the vehicle in and using an alternator as a generator, or having the car's battery bank be used first.
This has been an issue with any Internet business, be it a cloud provider, dating service, or someone who services vend-a-goat machines. When they go bankrupt, no contracts are honored, and the data falls to the buyer of the company or the physical servers, and can be used, without restriction, by the new party. For example, if a cloud computing service goes bankrupt, the next owner of the physical servers can make a multi-terabyte torrent of the contents, there is nothing the former clients can do about the data legally.
The only real solution to this is having part of the bankruptcy law changed to mandate supervised destruction of all data as part of the handover of servers.
There are some battery types which have a very high amount of charging cycles. Supercaps and NiFe batteries come to mind. Neither is great at energy density, but both can (assuming proper care taken) last for a very long time.
A lot of people can't even maintain a home generator. For example, come a disaster, people hit the hardware stores and buy open frame construction generators that put out 4-10kw. However, they are obscenely noisy. After the disaster, they are shoved in the garage and forgotten about.
Well, come the next would be disaster, that generator is pulled out... and won't start. The E-10 gasoline in the tank has turned to varnish, the carb is clogged to uselessness, and in some climates, the windings on the armature are corroded, so it can't even get a current in the first place.
Good generators are expensive. Yes, one can buy a Harbor Freight special for ~$100, which is a clone of Yamaha's ET800 model, made in the 1970s... but it has no voltage regulation, and has very dirty power, where adding/removing a load may result in a 160 volt spike. A good Yamaha or Honda portable inverter generator costs five to ten times as much as the open framed models found at hardware stores... but are a thousand to ten thousand times as quiet, and have a lot better parts availability. To boot, power is extremely clean.
Or the generator gets maintained and oiled... and the person uses a "widow maker" cord to backfeed the house power, which is not a good thing for people working on the lines when power is out. Some pocos are so tired of this, they will pull an offending house's meter, and not reconnect power until the place puts in a up to code way of allowing for generator power (transfer switch [1], safety breaker interlock [1].)
In general, home generators are useful, but one can't expect them to realistically be used in a blackout situation.
[1]: Best of all worlds is a whole-house UPS with two power inputs. That way, the generator is independant of the mains power, and either or both (for a short time) cutting off would not affect power in the house.
With how beholden we are in the US to coal/oil, I am happy to see -any-... yes, -any- progress in the energy field.
I do agree -- nuclear is the way to go for the near and medium term. There is so much to be done with thorium reactors, and it would allow us to do things which would be cost-prohibitive now. Thermal depolymerization for example (which would render plastic trash into usable oil.) Desalination is another.
The ironic thing is that some technologies wind up being embraced by the far left and right. Both the guys with the bunkers, as well as the tree-hugger communes both agree on the use of solar, especially in an off-grid usage capacity.
I am just glad to see someone throwing money into energy R&D. As it stands now, yes, there are improvements in battery tech... but we need batteries at least within an order of magnitude of energy density as gasoline in order to have something effective for transportation across the board, tossing the IC engine completely and moving to electric motors across the board, from the moped to the 18-wheeler.
Battery capacity is the biggest limitation, but after that, it will be getting MPPT charge controllers cheaper and prevalent. As of now, I can buy a PWM charge controller for dirt cheap... but it uses a fraction of the energy that comes off of panels for battery charging compared to a decent MPPT model.
I find that if I watch stuff, it winds up being YouTube videos, and unless I use an add-on, even there, ads are creeping up, becoming more common, and the "skip at five seconds" button has started disappearing.
It would be nice if YT offered a no ads subscription service... heard talk about it, but nothing seems to have manifested.
Slashdot Mirror
For now that is. Right now, malware writers are going for low hanging fruit, who don't even know what a VM was, or if they ran one on their desktop, would complain about performance (not knowing the VM disk images belong on a SSD, or at least their own spindles to not contend with the host desktop OS [1].
Once VMs gain traction (say someone combines dedupe with COW and applications wind up with their instance of an OS with just the footprint of the application so VMs become as common as applications with their own separate stack/heap are now), it will be a different story. We will start seeing attacks on hypervisors start being attempted [2], but since hypervisors have historically been built from the ground up for security, this will help mitigate things. Of course, as stated elsewhere, the bad guys can always have their code pull chaff such as a fake malware instance to lead researchers on rabbit trails.
[1]: Desktop OS. This isn't as big an issue with ESXi, especially with compute nods and big fat disk caches on the HBAs or CNAs.
[2]: Mixed bag. I'd like to see hypervisors get hardened, but if there is some sort of attack at the CPU level, that means malware in one VM has it made on the entire machine... and there would be no way to ever address that short of tossing the CPU or entire machine.
This may be our saving grace, something as simple as doing one's work in VMs, using the bare metal OS pretty much as a hypervisor and method to back up the VM images. With SSDs, this makes the job easier (because booting an OS isn't that I/O intensive, but you have multiple instances fighting for the drive head on conventional HDDs, which causes I/O slowdowns across the board.)
VMs are one of the few tools that can fight ransomware effectively. If the software doesn't play and deletes itself, no major loss. When hypervisors start getting "smarter" and are able to use heuristics to detect zero day infections that are hidden to the OS in a VM, this will raise the barrier significantly. Of course, the ability to roll back to a known, good snapshot in seconds completely negates ransomware's ability to destroy stuff, forcing the software to have to be inactive for a long period of time to hide its functioning.
I'm reading this as basically creating a tar file of the machine and documents, throwing it to a remote machine's incoming directory, and that incoming machine moving the file to somewhere inaccessible to the client?
This is a way to do it, but might be better to just have the NAS or other appliance initiate the pull so the data can be better stored in snapshots.
Now that's the rub. All it takes is for the trail to hit a country that is overtly hostile to the US, or just not willing to cooperate, and the trail goes cold. For example, if the perp who made malware tools was situated in Yemen, Brazil, or Venezuela, the local government would be giving the person accolades for doing such a thing.
As for Bitcoins, they are definitely traceable. However, efforts like tumblers and CoinJoin may be new and holes found, but they are getting better, and if combined with an exchanges that would trade BTC for another currency, that would leave the trail cold. If worse comes to worst, there will be someone who makes a BitCoin 2.0 that has anonymity built in.
US law enforcement can't really fix this problem, just because it is almost invariable that any investigation will lead outside of the country's borders, forcing any police work to become an international effort, and other countries tend to really not care if a foreign citizen gets taken for a ride, as opposed to investigating domestic issues.
This is a problem that has to be fixed by technical means. Legal means will not really work here.
It also is going to backfire.
Take SSL/TLS. Are they going to demand both parties stash the session key, or do their handshaking through a proxy logging each packet? The first time some intruders nail that data store and find out a bunch of banking passwords, the cost of that breach will be incredible. If they alter the SSL/TLS algorithm, will it bring unexpected changes that destroy the algorithm's security, or the code used not implement the changes in a secure fashion?
As for outlawing it, it -could- be done, but it would require far-reaching internal and external controls, with very sophisticated algorithms to detect unauthorized encryption, and pull that machine from the net. However, this is a cat and mouse game... and ultimately, the bad guys are just going to do like Daesh, and AQ before them... and go back to couriers, dead drops, and burner phones. Yes, it doesn't give as fast results as the Net, but it is a lot tougher to intercept. So, it an be done... but it is doubtful that even the British people would tolerate this much interference in their lives.
Unfortunately, as it stands right now, even with rapid growth, ransomware is approaching its infancy. I'm not going to be surprised when the next CryptoWall releases go after Active Directory and enterprise-level resources, as opposed to local items and the network share or two.
Three reasons why this is:
1: There are no SOHO backup systems to defend against it. If you can get the user to not restore in 30 days with most cloud backups, their data is gone... and some cloud backups may just only keep the latest (useless) version. Plugging in a USB flash drive, backup drive, using a NAS, or using a Time Capsule works against disasters like HDD failure or accidental microwaving of a laptop... but all ransomware has to do is zero out the backup drive... or just punch random holes in stored files so they are worthless. A lot of newer machines don't have optical drives, much less decent backup software to get the user to back up to them.
If you want a real defense against ransomware, it takes an external backup server which pulls data, stores it where the client machine cannot access or destroy it, and can store images for weeks to possibly years (because as ransomware evolved [1], it will be running longer before it gets detected.) However, not many home users will buy a PC with some drives, slap Windows Server 2012 R2 Essentials on it (which replaces Windows Home Server), and use that to pull backups from their desktops. There are appliances that do this... if you want to pay $50,000 to Symantec for a NetBackup appliance, and have the rack space for it.
What is really needed is a standard, cross platform backup client that not just allows for files, but snapshots (so open files can be copied) and entire machines, so bare metal restores are easy to accomplish, be it a restore to a local drive, or via the network. For authentication, something similar to SSH. This way, a user can buy an appliance, log onto the console, set up backups (perhaps RSA key exchanges), set up schedules, and call it done. More features (encryption, deduplication) can be added... but the main thing is getting backups going in the first place.
2: The infection vectors are still there. For example, a malware writer might write code to take advantage of a compromise/buggy browser add-on, it goes through an ad server, and winds up nailing people visiting even mainstream sites.
Even ten years later, the Web browser is still the primary infection vector. Even with virtual machine and container technology, if an add-on gets nailed, there is a good chance it can seize the entire browser, and thus a user context. Even with just the context of a browser add-on, it likely can read and write to any documents the user has access to. Add a few more exploits, it can run unfettered as a user, or even get admin/root rights so it can reflash the firmware on drives, video cards, keyboards, and other items.
This can be limited by running the browser in a VM or sandbox, but most users won't be doing this, so it is only a matter of time before the next add-on has 0-days, and just visiting a site results in compromise.
3: Not as bad as drive-by compromises, but Trojans are still an issue. On Linux, BSD, and OS X, this is less of an item, since users are conditioned to use a repository. Windows still is wild and wooly when it comes to this, and even if one does visit the right download site, it might be a mirror decided to pack some additional "functionality" into the installer, and re-sign that with their own Authenticode key, so it passes the signature check test.
The possible fix? MS having a store that allows for more than just Metro applications to be installed and updated, preferably with active, brutal curation. That way, if a user wants a copy of WinZip, they just fetch it from the store, rather than risk a compromised website, mirror, CDN, or app installer.
Ransomware is going to be with us a long time, just because it does well at going after the low hanging fruit, and with what is available (domain admin rights, for example), just encrypting files is just the initial salvo in this battle.
[1]: It pretty much a fact that malware, as a whole, is the absolutely best code when it terms of quality, robustness, and updates.
With how many robots are in use, it was just a matter of time before some freak accident would happen. Even if one set of chances are one in a million that something would be overridden at the right time, coupled with the one in a million chance of being in the wrong place, eventually someone is going to roll all "1s".
This is what insurance is for.
Were it not a robot, this would be dismissed as another accident at work, the worker (or next of kin) recompensed, and life would move on.
What I don't get is why FB doesn't just use tape. Tape drives are expensive, but the media itself is cheap -- LTO-4 cartridges are $15 apiece, and tape is a true archival grade media.
Plus, with tape, you copy it to that, yank the tapes out of the autochanger, and toss them in an unused corner of a room. Tapes take 0 watts in storage (other than what it takes for HVAC), so other than physical access concerns, they are easily stashed and will remain usable for quite a long time.
If any industry needs a kick in the pants with regards to capacity improvements, it is the tape media industry. A tape has far more area to put data on than a HDD platter, so there is a lot of room to add capacity, as well as reduce price with cartridges and drives, especially if mass produced so economies of scale kick in. Back in the 1990s, almost any business had some form of tape drive, which worked fairly decently for backups (although 4mm/8mm drives are nowhere near as reliable as a LTO drive.)
No, tape isn't trendy... but it functions well, and with WORM media or hardware write protection, it is resistant to malware. With hardware encryption in newer revs (LTO-4 and newer), it is trivial to just set a password and call it done when it comes to that security... that way, if a tape falls off the Iron Maiden truck, it is just a hardware loss... no worry about compromised data.
I've found that EQ1 is still pretty good... but you have two choices:
Play on a timelocked server, where there is relatively not that much content... but it winds up grindy.
Play on a regular server and get your levels and AAs so you can group/raid.
Timelocked servers have nostalgia value... but it might be too slow and quirky for someone new, and one can wind up hitting a dead-end (can't really solo, no groups), especially when the newness wears off.
There are also plenty of other MMOs still around. DAoC is still twitching, DDO, Neverwinter, and LOTRO are still going. Rift is still an alternate to WoW (except minus the mini-game of garrisons [1])
IMHO, what kills MMOs for me are the cash shops. Daybreak does it right -- you can buy gewgaws, pets, mounts, and bags... but other than XP potions, there isn't anything that can affect game play. Rift, on the other hand, I wound up pulling my sub for good (I used to subscribe yearly) because people just hit the shop, and buy a set of raid-tier armor. Rift was great in customization, but the fact that you can toss cash and wind up with all the endgame stuff has put the game into the same category as the junk (IMHO) F2P/P2W "MMOs" found on Android and iOS.
[1]: Oddly enough, the garrison mini-game is one of the nice things about WoW. Cycle missions on alts in the morning, cycle missions later on, and they wind up at a point where they can still run the circus of LFRs, if not normals.
It might be that using Blu-Ray autochangers may be a very useful thing to have, especially for something that can fill the gap between HDDs and LTO tapes for backups [1].
The pathetic thing is that this technology isn't new. We used to have 100, 200, even 400 disk CD and DVD carousels. By replacing the CD reader with a burner, and using 128 GB BDXL media, that means tens of terabytes of tamper-resistant (important with all the ransomware out there) WORM storage.
The trick is getting BD media into the terabytes and getting it at a price point where it is decently affordable. For example, a 100 GB BDXL disk is $65, but it should be about 10% of that price in order to be a viable backup medium.
[1]: The cloud isn't an option in a number of cases (WAN bandwidth isn't cheap), and it is only a matter of time before a major provider gets hacked.
Thank you for the answer on private WANs or government extranet firewalls. If used properly, even a private IP MPLS shared between a few businesses would add a layer of security. However, if not used correctly, it provides little to no protection. Just one machine with IP forwarding turned on can negate the protection.
It might just be that the core of security against hacks will continue being the core/edge network fabric, because it is a lot harder to secure individual devices than it is to lock down network appliances. The fundamental "heavy armor" just at the firewall will fundamentally change to a fabric that assumes an attack can come from any network segment... well, pretty much any network segment but the management network. The management network will be ever more prized for a target of attack, since that is where the SAN controllers live, and dumping logical disks and destroying data may become part of a security breach as hacker groups with the will, but not the way (extremist groups) make deals with groups with the means (the 0-days), but not the interest to wreak havoc.
Or, it might be that we return to a mainframe and glass-house IT architecture for security reasons. Even though the IRS had a breach, it wasn't their systems specifically that allowed it, but was an unauthorized query through an authorized source. The equivalent of someone seeing a key in the car's ignition and driving off, even though the ignition key has a state of the art transponder system. The IRS is still running on a mainframe architecture, and this seems to have provided a decent amount of security because all the data is in one place, and unless an authorized query takes place that shouldn't, it is pretty well secured.
Long term, I can see businesses moving to a system where all data is physically stored in one (or perhaps two locations using async replication), the data manipulation is all done by a server in the glass room, and access to the data is done by the next generation of JavaStations/X terminals/VT100s, which provide a monitor and HIDs, and that's it. I would not be surprised to see this happen, as it is the other end of the pendulum, as we swing away from cloud computing as the buzzword choice. It has been a while since thin clients have been touted at the Next Best Thing (tm), so I will be genuinely surprised if I don't see a return to having Citrix, RDP or some other remote desktop access done for a work desktop. Even though it isn't a fad, VDI has been gaining steam, so it wouldn't be surprising to wind up with physical terminals on the desktop, access going to the HP MoonShot farm with 45 VDI blades, and from there, RDP or App-V sessions going to where the data is.
Some IoT devices will wind up with their own cellular antenna. This will wind up being used as a nice entry point for attackers who will be able to jump through the device to a private network, or just use it for distributed Dogecoin mining.
TFA was "meh" at best, but why not design a secure architecture where the $50 device communicates to some type of secure hub (or hubs if one wants redundancy), and the hub is what communicates on the Internet. This way, only one device has to be hardened against attack via the Net. Yes, it doesn't stop attacks done at the LAN level... but any security is better than none, and it would help lock out all intruders except those close by in physical proximity.
This can be done a number of ways, by the central hub being a Wi-Fi AP, or just part of a BT PAN pairing.
To boot, if devices need to communicate with a remote site, there are many ways to communicate via secured link.
A hub topology is the proper way to do IoT. Letting every device go out via 3G or whatnot is only asking for compromise.
Realistically, if the device is "smart", it should just get passed up. If we don't pass up on these devices, we will be seeing fridges demands one sit through a 30 second ad before it unlocks the door, or the oven to allowing Slurm brand turkeys to be baked in it.
True. Right now, -anything- is better than what we have now, as it is hard to fall off the floor.
The only real way I see security improving is if insurance companies start mandating some security guidelines. May not be PCI-DSS3 strict, but with some semblance of auditing and accountability. Businesses have basic guidelines for physical asset protection (alarm on building, sprinklers, locks on the door, deposit safe), and if insurance demands they have computer and network protection, it would be one of the few ways we might see security happen.
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
The local big box store has a receptacle for toner cartridges. Hit Best Buy, chuck them in there, call it done, the end.
I had a lot of toner cartridges as well, but no use in keeping them. They are not going to appreciate in value, and as time goes on, that toner cartridge format will be used by fewer printers, so might as well dispose of them properly (and properly isn't the trash can.)
Here in Texas, if the logo on the painted sheet metal matches the logo on the breaker, that would be 100% up to code. An interlock like that is the cheapest way to feed a house from a generator safely.
They can easily change the agreement by updating the TOS and have a statement in said link that continued use of the site constitutes acceptance of the new terms. For a bankrupt company, that would be enough legal CYA to prevent any judge from ever piercing the corporate veil.
Even now, a Prius with an inverter on the traction battery bank can provide a decent amount of power. With a MEPS alternator, you can get 5kw+ from a truck or van, so even though it isn't electric the vehicle can double as a generator (and with the emissions controls on vehicles, that is a lot better for the environment.)
We are lurching slowly towards that, especially with motorhomes. For example, Roadtrek announced last week the addition of 200-1200 ampere-hour battery packs that charge from the engine. I worked on designing a Transit van conversion that would use a "hybrid" inverter so if plugged into a house (or a small vacation cabin), it would run the electricial system from the van's aux battery bank, then once the batteries hit 60% SoC, fire up a generator.
I wouldn't be surprised to see this technology filter into cars, be it plugging the vehicle in and using an alternator as a generator, or having the car's battery bank be used first.
This has been an issue with any Internet business, be it a cloud provider, dating service, or someone who services vend-a-goat machines. When they go bankrupt, no contracts are honored, and the data falls to the buyer of the company or the physical servers, and can be used, without restriction, by the new party. For example, if a cloud computing service goes bankrupt, the next owner of the physical servers can make a multi-terabyte torrent of the contents, there is nothing the former clients can do about the data legally.
The only real solution to this is having part of the bankruptcy law changed to mandate supervised destruction of all data as part of the handover of servers.
There are some battery types which have a very high amount of charging cycles. Supercaps and NiFe batteries come to mind. Neither is great at energy density, but both can (assuming proper care taken) last for a very long time.
A lot of people can't even maintain a home generator. For example, come a disaster, people hit the hardware stores and buy open frame construction generators that put out 4-10kw. However, they are obscenely noisy. After the disaster, they are shoved in the garage and forgotten about.
Well, come the next would be disaster, that generator is pulled out... and won't start. The E-10 gasoline in the tank has turned to varnish, the carb is clogged to uselessness, and in some climates, the windings on the armature are corroded, so it can't even get a current in the first place.
Good generators are expensive. Yes, one can buy a Harbor Freight special for ~$100, which is a clone of Yamaha's ET800 model, made in the 1970s... but it has no voltage regulation, and has very dirty power, where adding/removing a load may result in a 160 volt spike. A good Yamaha or Honda portable inverter generator costs five to ten times as much as the open framed models found at hardware stores... but are a thousand to ten thousand times as quiet, and have a lot better parts availability. To boot, power is extremely clean.
Or the generator gets maintained and oiled... and the person uses a "widow maker" cord to backfeed the house power, which is not a good thing for people working on the lines when power is out. Some pocos are so tired of this, they will pull an offending house's meter, and not reconnect power until the place puts in a up to code way of allowing for generator power (transfer switch [1], safety breaker interlock [1].)
In general, home generators are useful, but one can't expect them to realistically be used in a blackout situation.
[1]: Best of all worlds is a whole-house UPS with two power inputs. That way, the generator is independant of the mains power, and either or both (for a short time) cutting off would not affect power in the house.
With how beholden we are in the US to coal/oil, I am happy to see -any-... yes, -any- progress in the energy field.
I do agree -- nuclear is the way to go for the near and medium term. There is so much to be done with thorium reactors, and it would allow us to do things which would be cost-prohibitive now. Thermal depolymerization for example (which would render plastic trash into usable oil.) Desalination is another.
The ironic thing is that some technologies wind up being embraced by the far left and right. Both the guys with the bunkers, as well as the tree-hugger communes both agree on the use of solar, especially in an off-grid usage capacity.
I am just glad to see someone throwing money into energy R&D. As it stands now, yes, there are improvements in battery tech... but we need batteries at least within an order of magnitude of energy density as gasoline in order to have something effective for transportation across the board, tossing the IC engine completely and moving to electric motors across the board, from the moped to the 18-wheeler.
Battery capacity is the biggest limitation, but after that, it will be getting MPPT charge controllers cheaper and prevalent. As of now, I can buy a PWM charge controller for dirt cheap... but it uses a fraction of the energy that comes off of panels for battery charging compared to a decent MPPT model.
Yep, paying for TV, and finding ads to the show are almost a 1:1 ratio.
Only way to win is not to play.
I find that if I watch stuff, it winds up being YouTube videos, and unless I use an add-on, even there, ads are creeping up, becoming more common, and the "skip at five seconds" button has started disappearing.
It would be nice if YT offered a no ads subscription service... heard talk about it, but nothing seems to have manifested.